IT Events

Preventing laptop theft: Defense-in-depth approach

Publication Date:

February 1, 2012

Expiration Date:

February 1, 2015

Erika Donald, OCIO–Security, Privacy and Policy

Weight:

0

Body Text:

In 2011, 88 laptops were reported stolen at UC Berkeley. Most of these
thefts, according to UC Berkeley Police Department's Lt. Marc DeCoulode, who
manages UCPD's investigation unit, were crimes of opportunity by
individuals from outside of the campus. "Most thefts happen when laptops
are left unattended in offices or in classrooms, and the majority of the
thefts occur in campus libraries, specifically in Doe and Moffit,"
DeCoulode says. "It only takes 10 seconds for a thief to grab a
laptop."

I decided to see just how easy it would be to steal a laptop, if I were
so inclined, and headed over to Doe Library. I walked into the main
stacks and scanned the table tops. Within five minutes, I saw a woman,
mid-twenties, get up and walk away from the table where her laptop
rested, unsecured. I timed her: she chatted with her back to the laptop
for almost four minutes. Why, I wondered, would she be so cavalier with
her valuable possession that surely contained not only private
information but most likely irreplaceable research data?
Most likely, I guessed, the library's tranquil, academic
environment lulled her into a false sense of security. And that's precisely what a thief wants: laptop owners to
drop their guard for just 10 seconds.

When considering laptop (or any PDA)
security, it's best to think of a multi-layered defense-in-depth
approach. Combine physical security with additional, defensive layers
such as encryption and location software.

Laptop portability: its greatest asset and greatest weakness

The UC Berkeley Police Department offers these general tips for both
students and staff to help ensure the physical safety of their laptops:

Write down the manufacturer, model, and serial number of your
laptop and file this information.

Do not walk away from your laptop, even for "a minute". If you
must sleep while you're studying in the library, sleep on the
laptop.

Do not leave valuables in common areas or ask strangers to watch
them for you.

When you leave your room or office, shut curtains or blinds,
lock doors and windows, and take your keys with you [1].

Students heading to college need to take some simple precautions to
protect not only their computers, but all sensitive information,
such as Social Security and credit card numbers from college and
financial applications, that may be saved on their laptops
[2]. Just deleting information from your recycle bin or
trash isn't enough — computer thieves are experts at undeleting
such files.

Decoulode says the start of semester is usually the time
when most student laptops are stolen. "Incoming freshman are more easily
distracted, perhaps a little overwhelmed, and not paying as close
attention to their belongings as they would normally."

Treat your laptop like cash

"If you had a wad of money sitting out in a
public place, would you turn your back on it — even for just a
minute?" [3] When in any public place (i.e.,
airports, convention centers, public washrooms, waiting areas, taxis,
or public transit), keep the same watchful eye on your laptop as you would
on your cash.

Around 637,000 laptops are lost each year at U.S. airports [4], most often at security checkpoints. One technique
thieves use is to move between you and your laptop at the metal
detector. As your laptop moves along the conveyor to pass through the x-ray scanner, one thief in front of you purposely sets off the metal
detector to allow time for the second thief, on the opposite side of the
detector, to pick up your laptop and walk away with it [5] — typically, airport security staff don't know
or care who owns items going through the x-ray scanner.

And when staying at hotels, pay extra attention to your laptop: a
security cable may not be enough. Store your laptop in the safe in your
room. Again, think of your laptop like cash. You wouldn't head out of your hotel room leaving behind a stack of twenties on the table, would you?

Make sure your laptop is identifiable

Another relatively low-cost measure is to identify your laptop to make
its recovery easier and resale harder. There are a number of
solutions available to identify your laptop.

Tools are available to permanently engrave or brand serial
numbers, company names, and logos onto a laptop.

Tamper-resistant tags can be applied to the laptop to identify
it. One well-known anti-theft tag is the Stop Tag. The
manufacture of the Stop Tag states it takes 800 pounds of pressure to
remove this tag [6].

If you make your laptop look unique, there will be less opportunity for
someone to use the excuse that they thought your laptop was theirs.
Often, unique identifying marks, such as stickers, also make the
laptop more difficult to resell.

Encrypting stored data on your laptop

In addition to ensuring the physical security of your laptop, another
defensive security layer to consider is encryption. In fact, UC
Berkeley's Minimum Security Standards for Electronic Information
states that restricted information must not be stored on a
laptop (or any other portable device) unless absolutely necessary and
if so must be strongly encrypted [7].

Encryption obscures the electronic data with an encryption algorithm,
keeping the information private and unavailable to unauthorized persons.
Once the data is scrambled, a key must be used in order to decrypt the
data to make it readable. Only users in possession of this key will be
able to read the encrypted data.

Unfortunately in March 2005, an unencrypted laptop computer containing
sensitive information on more than 98,000 UC Berkeley graduate students
and others was stolen from the Graduate Division when an office was left
momentarily unoccupied. Because there was restricted data (names and
Social Security numbers) on the laptop, and since it was discovered that
the laptop data was not encrypted, the theft raised the alarm for
potential identity theft and triggered a costly requirement to notify
the individuals whose information was stored on the laptop.

Encryption can be applied to laptop data in different ways. The two most
common methods to protect data on laptops are "whole disk encryption"
and "file encryption".

Whole disk encryption protects the entire hard
drive. Because everything is
encrypted, including the operating system, you have to first
"unlock" the encrypted drive with your personal passphrase before
you can even start or boot up your computer. Programs that offer
whole disk encryption include:

Windows BitLocker (Windows Vista and 7 Enterprise and Ultimate Editions) — contact
security at berkeley dot edu
for more information on using BitLocker.

For additional information about the various methods of encrypting your
laptop, see the article Encryption
Tools [PDF] by Allison Henry of IST–System and Network Security.

Laptop location software

Commercial software products are also available that can track stolen
laptops. UCPD Lieutenant Adan Tejada suggests
installing laptop locator software and notes that UCPD currently
installs LoJack Security software on their departmental laptops.

Additionally, some laptop models purchased from Dell, Lenovo (IBM), HP,
and other manufacturers may have Absolute Software's Computrace, which embeds a
tracking agent in the BIOS. The tamper-resistant agent remains active
even if the hard drive is reformatted or replaced [1].

Although there are obvious privacy implications around the use of laptop
location software, anyone with a smartphone has already relinquished a
significant amount of very private location data [8].

Time is of the essence

In the event that your laptop is stolen, remember — time is of the
essence. According to Decoulode, "recovery is usually sooner than
later" after a theft. If recovered quickly, the device is still usually
operable. If you are the victim of a laptop theft, report it
immediately.